Episode481

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 481

Episode Audio

Recorded: September 15, 2016

Announcements

  • Visit http://securityweekly.com/hotseat for the latest edition happening on Sept 13th 2PM EST, register today! We wile sit down with Yolonda Smith, Director of Product Management with Pwnie Express. We will dig into the shift in the number, types, and ownership of devices showing up on enterprise networks, and how you can protect your company from new threats from these devices. We will also get into some cool tech for monitoring and securing your enterprise from wireless, bluetooth, cellular and even good old wired device threats.
  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.

Interview: Josh Abraham, Praetorian - 6:00PM-6:30PM

At Praetorian, Josh is a key member of the technical execution team. In this capacity, he is responsible for leading, directing, and executing client-facing engagements that include Praetorian's tactical and strategic service offerings. Prior to joining Praetorian, Josh spent six years at Rapid7 where he helped build the company's professional services division, defined the firm's core methodologies, and trained new employees on the latest hacking techniques.

Over the years, Josh has become a well-known resource for his contributions to the information security space. An avid researcher and presenter, Josh has spoken at numerous conferences including BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, SOURCE Barcelona, CSI, OWASP, LinuxWorld, Comdex, and BLUG.

In his spare time, Josh is a contributing developer to numerous open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, Metasploit, GISKismet, and PBNJ. Josh is also a respected security resource to the media and has been quoted by news outlets such as ComputerWorld, DarkReading, and SC Magazine. Josh holds a BS in Computer Science from Northeastern University.

http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html

Tech Segment: - 6:30PM-7:30PM

Security News - 7:30PM-8:30PM

Paul's Stories

  1. Internet-Connected Vibrator Connects With Privacy Lawsuit - the company collects users' data without their consent in violation of the federal Wiretap Act and the Illinois Eavesdropping Statute, as well as the Illinois Consumer Fraud Act. Aha, but the issue is really here: The app transmits details such as date and time of each use, the intensity and mode chosen by the user, and the email address of registered users, according to the lawsuit.. The data is tied back to your email address. Collecting information is interesting, but when you tie it back to a person without consent, this is an issue. Again, it underscores the problem most people miss with IoT security, while yes there are security concerns of people hacking into your vibrator (which is silly, maybe cute, but not the end of the world attack) the larger concern is privacy and confidentiality. Collecting anonymous data to make your product better, provided you tell people what you are collecting and who you share it with, is typically okay. Knowing the email address, which could also be the username, just smells like breach, and considering there is a live video and chat feature when paired to your smartphone, is just a disaster waiting to happen. OH, and WeVibe says there is no evidence of such a "breach".
  2. Toymakers Are In Trouble For Illicit Data Collection - same deal, and check this out: Sadly, there are currently no plans for a combination of the We-Vibe and Nerf projectile for the Thai market, although such a device would save a fortune on ping-pong balls.
  3. Volkswagen Launches New Cybersecurity Firm To Tackle Car Security - Led by Yuval Diskin, Tsafrir Kats and Dr Tamir Bechor, the new company will "develop advanced cyber security solutions for next-generation connected cars and mobile services," Companies that are embarassed bya breach, create security companies. LOL.
  4. AdBlock Plus launches its ad-selling platform - The Acceptable Ads Platform, as it is known, also lets publishers and bloggers select pre-whitelisted ads to use on their sites. Uhm, the whole point of an ad blocker is to not see ads. This defeats the purpose.
  5. Recovering an iPhone 5c Passcode - Or: The FBI needs computer-security expertise, not backdoors. As we all expected, yea, its possible to recover. So either the FBI doesn't have the talent, or this was a PR/political move. You pick.
  6. "Critical Fixes Issued for Windows - Lets just give up on endpoint patching and use endpoint protection. Lets see how that goes over
  7. Tribunal rules computer hacking by GCHQ is not illegal - BBC News - So, gov't continue to be able to hack into anything, and there are no regulations.
  8. Obama signs two executive orders on cybersecurity -
  9. KoreBlog - This. is. awesome. Backdoors within backdoors and a complete technical write-up. It begs the question, can we come up with a standard for securiing IoT, or do we need multiple standards for each industry? Cable modems seems like we can solve the problem, but how many standards do we need? Also, I don't agree with Patrick from RB, I believe IoT security is a big deal, but we are just explaining it wrong.
  10. "35 - This was a terrible article from the reg on the issue of cable modems. I will save you the time, and tell you not to read it unless you are just reading it for entertainment value.

Larry's Stories

Jeff's Stories

http://www.dailymail.co.uk/news/article-3789271/Driver-charging-Samsung-Galaxy-Note-7-car-caused-huge-highway-explosion-phone-blew-passenger-seat.html

http://events.pcisecuritystandards.org/las-vegas-2016/

Michael's (Santa) Stories

Carlos's Stories

Jack's Stories